This section describes how to integrate GoAnywhere with RSA Cloud Authentication Service using Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using Relying Party.

Procedure

1. Sign in to RSA Cloud Administration Console.
2. Select the Authentication Clients > Relying Parties menu item at the top of the page.

3. Click the Add a Relying Party button on the My Relying Parties page.

4. From the Relying Party Catalog select the Add button for Service Provider SAML.

5. Enter the name for the application in the Name field on the Basic Information page and click the Next Step button.

6. On the Authentication page, select SecurID manages all authentication.
7. From 2.0 Access Policy for Authentication pulldown select a policy that was previously configured, then select Next Step.

8. Select the Enter Manually button on the Connection Profile page.

9. Go to the Service Provider section and enter below details.
   1. In the Assertion Consumer Service (ACS) URL: Enter URL in the following format https://<GoAnywhere>/webclient/saml/consume. Replace <GoAnywhere> with your GoAnywhere MFT server IP or fully qualified domain name (FQDN).
   2. Service Provider Entity ID: enter an original string, this can be any value and MUST match the Entity ID value you enter in GoAnywhere configuration.

10. Go to the Message Protection section, check the SP signs SAML requests option and upload the GoAnywhere certificate. This certificate serves as the SSL certificate for the HTTPS service in GoAnywhere.

11. In the SAML Response Protection section, select the radio button for IdP signs entire SAML response, then click Download Certificate — you’ll need this certificate later when configuring GoAnywhere.

12. Go to the User Identity section and select the following information.
    1. Identifier Type > emailAddress
    2. Property >mail

13. In the Statement Attributes section, enter the following information.
    1. Select Identity Source from the Attribute Source dropdown list, enter email in the Attribute Name text box and select mail from the Property dropdown list.

14. Scroll down to the Identity Provider section. Take note of the Entity ID since it will be needed in the GoAnywhere app configuration.
15. Click Save and Finish.
16. Locate the application created in Relying Parties page and click the dropdown arrow next to Edit > Metadata > Download Metadata File.
17. Click Publish Changes and wait for the operation to be completed.

18. After publishing, your application is now enabled for SSO. 

Configure GoAnywhere

Perform these steps to configure configure GoAnywhere.

Procedure

1. Open a web browser and connect to GoAnywhere Web UI at https://<GoAnywhere>/webclient/Login.xhtml where <GoAnywhere> is the address of the GoAnywhere MFT server IP or fully qualified domain name (FQDN).
2. Enter your admin username and password into the web UI.
3. From the sidebar navigation menu, select Users > Login Methods.

4. Click + Add Login Method.

5. Choose SAML Single Sign on, then click Continue.

6. In the Preferences menu, select General and then enter a Name you prefer to the SAML Server. 

7. Go to the Identity Provider tab, you can either manually enter the details using the steps below or click Import Metadata and upload the metadata.xml file exported from RSA Cloud Authentication Service to autofill the fields.

1. 1. In the Entity ID field enter the Identity Provider Entity ID value acquired from RSA Cloud Authentication Service configuration.
   2. In the Trusted Certificate Location field select the System Key Vault.
   3. In the Binding field select HTTP Post.
   4. In the Post URL field enter the Identity Provider URL value acquired from RSA Cloud Authentication Service configuration.

8. Select the Service Provider tab.

1. 1. In the Entity ID field enter an original string, this can be any value and MUST match the Service Provider Entity ID value you entered in RSA Cloud Authentication Service configuration.
   2. Enter any Name Qualifier.
   3. In the Private Key Location dropdown, select System Key Vault.
   4. In the Private Key Name field, select the GoAnywhere certificate that was used in the RSA Cloud Authentication Service to sign SAML requests.

Note: This is the SSL certificate used for the HTTPS service in GoAnywhere. You’ll need to generate this SSL certificate in advance so it can be used both here and in the RSA Cloud Authentication Service configuration.

1. 5. In the Require Signed Assertion field, select the checkbox.
   6. In the SSO Site URL enter https://<GoAnywhere> where <GoAnywhere> is the address of the GoAnywhere MFT server IP or fully qualified domain name (FQDN).
   7. SSO Response URL will be the same value as the Assertion Consumer Service (ACS) URL in Cloud Authentication Service configuration.

9. Select the Web User tab.

1. 1. In the NameID Format field select Email Address.
   2. In the Username Location field select NameID.

10. Select Save.
11. From the sidebar navigation menu, navigate to Users > Login Settings.
12. Select Default Login Methods tab and you could change Admin Users and/or Web Users to use the login method we previously configured.

13. Click Save.

Configuration is complete.